Pachno 1.0.6 (return_to) Open Redirection


Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6

Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
designed for team project management, issue tracking, and documentation. It offers a module-based,
customizable environment for software development and team workflows, distributed under the
Mozilla Public License.

Desc: Input passed via the return_to GET/POST parameter to the login endpoint is not properly
verified before being used to redirect users. The _getLoginForwardUrl() helper applies htmlentities()
to the value which is intended for HTML output encoding and does not validate URL schemes or hosts,
and then issues a Location header with the unmodified URL. This can be exploited to redirect a
user to an arbitrary external website and conduct phishing attacks.

Tested on: GNU/Linux
           Apache2
           PHP/7.4
           MySQL/5.7 (MariaDB)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2026-5981
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5981


06.04.2026

--


https://127.0.0.1/login?return_to=https://www.zeroscience.mk/pachno_relogin.phtml